b'        OFFICE OF INSPECTOR GENERAL\n\n\n                                 Catalyst for Improving the Environment\n\n\n\nAudit Report\n\n\n\n\n       Access Controls for Office of\n       Enforcement and Compliance Assurance\n       Systems Need Improvement\n\n       Report No. 2004-P-00015\n\n\n       April 26, 2004\n\x0cReport Contributors:               Edward Densmore\n                                   Teresa Richardson\n                                   Debbie Hunter\n                                   Martin Bardak\n                                   Bill Coker\n\n\n\n\nAbbreviations\n\nEPA          Environmental Protection Agency\n\nFTTS         Federal Insecticide, Fungicide, and Rodenticide Act/\n\n             Toxic Substance Control Act Tracking System\nICIS         Integrated Compliance Information System\nOECA         Office of Enforcement and Compliance Assurance\nOIG          Office of Inspector General\nOMB          Office of Management and Budget\nSSTS         Section Seven Tracking System\n\x0c                        UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                     WASHINGTON, D.C. 20460\n\n\n                                                                                       OFFICE OF\n                                                                                  INSPECTOR GENERAL\n\n\n\n\n                                         April 26, 2004\n\nMEMORANDUM\n\nSUBJECT:\t           Access Controls for Office of Enforcement and Compliance Assurance\n                    Systems Need Improvement\n                    Report No. 2004-P-00015\n\nFROM:\t              Patricia H. Hill, Director\n                    Business Systems Audits (2421T)\n\nTO:\t                Michael M. Stahl, Director\n                    Office of Compliance\n                    Office of Enforcement and Compliance Assurance (2221A)\n\n\nThis is a our final report regarding implementation of authentication and identification controls.\nThis audit report contains a finding that describes a problem the Office of Inspector General\n(OIG) of the U.S. Environmental Protection Agency (EPA) has identified and the corrective\naction the OIG recommends. This report represents the opinion of the OIG, and the finding\ncontained in this audit report does not necessarily represent the final EPA position. Final\ndeterminations on matters in this audit report will be made by EPA managers in accordance with\nestablished EPA audit resolution procedures.\n\nAction Required\n\nIn accordance with EPA Manual 2750, you are required to provide a written response to the\nfinding and recommendation presented in this audit report within 90 days of the report date.\nYou should include a corrective action plan for agreed upon actions, including milestone dates.\nWe have no objection to the further release of this report to the public. For your convenience,\nthis report will be available at http://www.epa.gov/oig. If you or your staff have any questions\nregarding this report, please contact me at (202) 566-0894 or the Assignment Manager,\nEd Densmore, at (202) 566-2565.\n\n\n\n\n                                                1\n\x0cPurpose\n\nOn September 30, 2003, we issued Report No. 2003-P-00017, EPA\xe2\x80\x99s Computer Security Self-\nAssessment Process Needs Improvement, which identified weaknesses related to the EPA\xe2\x80\x99s self-\nassessment process and made recommendations to the Office of Environmental Information\xe2\x80\x99s\nDirector for Technology, Operations and Planning. Among other things, the audit assessed\nwhether: (1) computer security self-assessments were accurate and complete; (2) EPA identified\nall major applications; and (3) major application systems used authentication and identification\ncontrols to protect against unauthorized access and misuse.\n\nDuring the prior audit, we had identified some access control weaknesses specific to three Office\nof Enforcement and Compliance Assurance (OECA) systems. This additional report addresses\nthose OECA system-specific weaknesses we found during our review.\n\n\nBackground\n\nThe Federal Information Security Management Act and its predecessor, the Government\nInformation Security Reform Act, require all Federal agencies to conduct annual reviews of their\nsecurity program and to report the results of those assessments to the Office of Management and\nBudget (OMB). OMB reviews the assessment results to determine how well agencies\nimplemented security requirements.\n\nThe OECA systems we reviewed are critical to EPA\xe2\x80\x99s enforcement and compliance activities of\nthe Agency. These systems are:\n\n\xe2\x80\xa2\t Federal Insecticide, Fungicide, and Rodenticide Act/Toxic Substance Control Act\n   Tracking System (FTTS). FTTS supports the day-to-day tracking of inspections for\n   pesticides, as well as compliance and enforcement under the applicable EPA laws.\n\n\xe2\x80\xa2\t Section Seven Tracking System (SSTS). Similar to FTTS, SSTS supports the pesticides\n   program by tracking pesticide-producing establishments, registration records of new\n   establishments, and the types and amounts of pesticides produced at each establishment.\n   This also contains Confidential Business Information, such as the addresses of the pesticide-\n   producing establishments.\n\n\xe2\x80\xa2\t Integrated Compliance Information System (ICIS). ICIS integrates the national\n   compliance and enforcement data from numerous individual systems. This system is\n   expected to eventually integrate data regarding all media that EPA regulates (e.g., air, toxics,\n   pesticides, and hazardous waste).\n\n\n\n\n                                                 2\n\x0cScope and Methodology\n\nWe conducted audit field work at EPA Headquarters and Regions 1, 2, 3, 5, and 6. To\naccomplish this audit objective, we used a variety of criteria, including:\n\n\xe2\x80\xa2\t OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources.\n\xe2\x80\xa2\t National Institute of Standards and Technology Special Publication 800-26,\n   Security Self-Assessment Guide for Information Technology Systems.\n\xe2\x80\xa2\t EPA Directive 2195A1, Information Security Manual.\n\nWe conducted this audit in accordance with Government Auditing Standards, issued by the\nComptroller General of the United States. We reviewed system access listings and verified that\nusers still needed access to the system. We also tested their respective levels of access to ensure\nthey were appropriate. In addition, we reviewed system coordinator/administrator listings to\ndetermine whether adequate personnel had been assigned to ensure the availability of the\nsystems to users.\n\n\nPrior Audit Coverage\n\n\xe2\x80\xa2\t EPA OIG Report No. 2003-P-00017, EPA\xe2\x80\x99s Computer Security Self-Assessment Process\n   Needs Improvement, dated September 30, 2003: This report recommended implementing a\n   systematic monitoring and evaluation program to increase the reliance management can place\n   on the information technology security data it collects.\n\n\xe2\x80\xa2\t EPA OIG Report No. 2002-S-00017, Government Information Security Reform Act: Status\n   of EPA Computer Security Program, dated September 16, 2002: This report noted that\n   management must continue to seek improvements in the areas of risk assessments, effective\n   oversight processes, and training employees with significant security responsibilities.\n\n\nResults of Review\n\nAccess controls to three critical OECA systems (FTTS, SSTS, and ICIS) need improvement.\nInadequate implementation of access controls increases the possibility of valid users not being\nable to gain access to these systems in a timely manner should a problem occur. Moreover, these\nvulnerabilities increase the potential for unauthorized changes to system data. These weaknesses\noccurred because user access lists were either not reconciled or not consistently reconciled.\nSpecifically:\n\n\xe2\x80\xa2\t We found that some regions did not have a backup system administrator/coordinator for\n   FTTS and SSTS to ensure the proper administration and availability of the system. A system\n   administrator has the ability to grant, remove, or change a user\xe2\x80\x99s access. A system\n   coordinator begins the process of facilitating the granting, removing and changing of a user\xe2\x80\x99s\n\n                                                 3\n\x0c   access. An extended absence of a system administrator/coordinator could delay a valid user\n   from being granted access to a system, and could impede the timely removal of users that no\n   longer need access. We brought this finding to the attention of the responsible systems\n   administrators/coordinators, and they granted system administrator/coordinator access to\n   some users who will serve as backups to the primary system administrator/coordinator.\n\n\xe2\x80\xa2\t We identified instances where users\xe2\x80\x99 access levels were not appropriate for their job\n   functions. For example, we identified three SSTS users with system update ability who no\n   longer needed access to the system to perform their duties. Management placed the system\n   data in jeopardy of unauthorized alteration by not promptly removing this access. In\n   addition, we found an ICIS user who unnecessarily possessed system administrator rights,\n   thereby allowing this user to add, delete, or alter data, as well as grant this access to other\n   individuals. This user confirmed system administrator rights were no longer needed. System\n   administrator access should be strictly controlled and, in this instance, there were an\n   adequate number of ICIS users with this ability. After bringing this weakness to the attention\n   of OECA officials, the system access levels for the users involved were appropriately\n   changed.\n\nThese systems contain confidential or enforcement sensitive data that is critical to the\ncompliance/enforcement activities of the Agency. Therefore, adequate access controls are vital\nto ensure the availability and integrity of the compliance and enforcement data in these systems.\n\nThe noted weaknesses occurred because the systems\xe2\x80\x99 user access lists either were not reconciled\nor were not consistently reconciled, as required by Agency policy. EPA\xe2\x80\x99s Information Security\nManual stipulates that managers of major applications must ensure access controls are reviewed\nmonthly. In particular, information managers should verify that the system access lists reflect\nonly valid users and the appropriate levels of access for them to perform their jobs. During our\naudit, we found no indication that system administrators conducted reconciliations of the access\nlistings for FTTS and ICIS. System administrators said they added and removed users based on\nan informal process and were not performing any reconciliations. We also found reconciliations\nwere not occurring consistently with the SSTS access listings; frequent changes in SSTS system\ncoordinators caused the reconciliation process to be overlooked as new coordinators familiarized\nthemselves with their duties.\n\n\nRecommendation\n\nWe recommend that OECA\xe2\x80\x99s Director for Compliance:\n\n  1. \t Reiterate to information managers their responsibilities in EPA\xe2\x80\x99s Information Security\n       Manual requiring them to verify (i.e., reconcile) that access lists reflect only valid users\n       and the appropriate access levels commensurate with the users\xe2\x80\x99 current job functions.\n\n\n\n                                                 4\n\x0cAgency Comments and OIG Evaluation\n\nIn a memorandum dated April 7, 2004, OECA\xe2\x80\x99s Director for the Office of Compliance\nresponded to our draft report (see Appendix A) and concurred with our recommendation.\nHowever, OECA disagreed with our statement that \xe2\x80\x9cAccess to three critical OECA systems\n(FTTS, SSTS, and ICIS) was not adequately controlled,\xe2\x80\x9d and asserted that procedures have been\nin place and access to the systems is controlled. We do not dispute that controls exist, but\nbelieve that our statement is accurate because the weaknesses identified were caused by\ninadequately implemented controls. Nevertheless, we modified the report so that it cannot be\ninterpreted that no controls are in place. OECA also stated that these weaknesses were not\nidentified at Headquarters, and we agree. Although we did not state in our draft report where the\nweaknesses were identified, we clarified the report to indicate the weaknesses were found in the\nregions.\n\n\n\n\n                                                5\n\x0c6\n\n\x0c     Appendix A\n\n\n\n\n7\n\n\x0c8\n\n\x0c9\n\n\x0c10\n\n\x0c                                                                              Appendix B\n\n                                    Distribution\n\nDirector, Office of Compliance (221A)\n\nBranch Chief, Data System and Information Management Branch (2222A)\n\nAudit Liaison, Office of Enforcement and Compliance Assurance (2201A)\n\nComptroller (2731A)\n\nAgency Followup Official (the CFO) (2710A)\n\nAgency Audit Followup Coordinator (2724A)\n\nAssociate Administrator for Congressional and Intergovernmental Relations (1301A)\n\nAssociate Administrator, Office of Public Affairs (1101A)\n\nInspector General (2410)\n\n\n\n\n\n                                             11\n\x0c'